FusionPBX Version 4.4.3
Freeswitch Version 1.8.4 (32bit) running on Odroid XU4 Octacore Arm
I'm struggling to turn up a DID number from Flowroute. For various reasons, I need my in-laws phone to ring at my home, so we ported it to Flowroute and while it's working, I'm not sure it's that secure.
Initially, Freeswitch was requesting authorization on inbound DID calls, which I think was a remnant of my failed attempt to register a station from the internet. So, I turned off auth-calls. Freeswitch then resonded with a 407 Forbidden, despite putting Flowroute's IP addresses in the Domains Access Control List which is default deny, but allow for the IP/32 CIDR of the Flowroute server.
Watching SNGrep showed all kinds of OPTIONs messages coming from Flowroute, to which Freeswitch responded. But when I receive an INVITE message from the same Flowroute IP, freeswitch logs show the domains ACL blocking the message.
Disabling "apply-inbound-acl" allowed the call to go through, but I'd rather limit my exposure to only the Flowroute servers.
Pasting that log in below. Any advice?
recv 994 bytes from udp/[216.115.69.144]:5060 at 00:18:41.979351:
------------------------------------------------------------------------
INVITE sip:1206523****@192.168.1.23:5080;transport=udp SIP/2.0
Record-Route: <sip:216.115.69.144;lr>
Max-Forwards: 66
Record-Route: <sip:199.21.64.132;lr>
To: <sip:+1206523****@fl.gg>
From: <sip:+1425*******@fl.gg>;tag=gK0a23fdde
Via: SIP/2.0/UDP 216.115.69.144;branch=z9hG4bK2b41.cab91f900f8b62efca4f5b540e91dad0.0
Via: SIP/2.0/UDP 54.71.6.127:5060;branch=z9hG4bK2b41.32e304906b0d605cabbadd8bf39c34b6.0
Via: SIP/2.0/UDP 199.21.64.132;branch=z9hG4bK2b41.f2e0ce590f3f3040744290c686be8efc.0
Via: SIP/2.0/UDP 4.55.21.227:5060;branch=z9hG4bK0aBc41070e52aeb30b8
Call-ID: 906634939_48143166@4.55.21.227
CSeq: 6295 INVITE
Contact: <sip:+1425*******@4.55.21.227:5060>
Content-Length: 219
Content-Type: application/sdp
P-Asserted-Identity: <sip:+1425*******@fl.gg>
v=0
o=- 17711 6405 IN IP4 4.55.21.194
s=-
c=IN IP4 4.55.21.194
t=0 0
m=audio 20964 RTP/AVP 0 8 18 101
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=maxptime:20
------------------------------------------------------------------------
2019-10-30 00:18:43.859947 [NOTICE] switch_channel.c:1104 New Channel sofia/external/+1425*******@fl.gg [909dfa55-b598-47bf-8b72-476a79a83584]
2019-10-30 00:18:43.859947 [DEBUG] switch_core_state_machine.c:584 (sofia/external/+1425*******@fl.gg) Running State Change CS_NEW (Cur 1 Tot 1)
2019-10-30 00:18:43.859947 [DEBUG] sofia.c:10092 sofia/external/+1425*******@fl.gg receiving invite from 216.115.69.144:5060 version: 1.8.4+git git 749a6e1 2019-01-14 19:31:33Z 32bit
2019-10-30 00:18:43.859947 [WARNING] sofia.c:10256 IP 216.115.69.144 Rejected by acl "domains"
2019-10-30 00:18:43.859947 [DEBUG] switch_core_state_machine.c:603 (sofia/external/+1425*******@fl.gg) State NEW
send 748 bytes to udp/[216.115.69.144]:5060 at 00:18:41.983283:
------------------------------------------------------------------------
SIP/2.0 403 Forbidden
Via: SIP/2.0/UDP 216.115.69.144;branch=z9hG4bK2b41.cab91f900f8b62efca4f5b540e91dad0.0
Via: SIP/2.0/UDP 54.71.6.127:5060;branch=z9hG4bK2b41.32e304906b0d605cabbadd8bf39c34b6.0
Via: SIP/2.0/UDP 199.21.64.132;branch=z9hG4bK2b41.f2e0ce590f3f3040744290c686be8efc.0
Via: SIP/2.0/UDP 4.55.21.227:5060;branch=z9hG4bK0aBc41070e52aeb30b8
From: <sip:+1425*******@fl.gg>;tag=gK0a23fdde
To: <sip:+1206523****@fl.gg>;tag=y8S4y5U7QyN1F
Call-ID: 906634939_48143166@4.55.21.227
CSeq: 6295 INVITE
User-Agent: FreeSWITCH
Accept: application/sdp
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY
Supported: timer, path, replaces
Allow-Events: talk, hold, conference, refer
Content-Length: 0
------------------------------------------------------------------------
2019-10-30 00:18:43.859947 [NOTICE] sofia.c:2411 Hangup sofia/external/+1425*******@fl.gg [CS_NEW] [CALL_REJECTED]
Freeswitch Version 1.8.4 (32bit) running on Odroid XU4 Octacore Arm
I'm struggling to turn up a DID number from Flowroute. For various reasons, I need my in-laws phone to ring at my home, so we ported it to Flowroute and while it's working, I'm not sure it's that secure.
Initially, Freeswitch was requesting authorization on inbound DID calls, which I think was a remnant of my failed attempt to register a station from the internet. So, I turned off auth-calls. Freeswitch then resonded with a 407 Forbidden, despite putting Flowroute's IP addresses in the Domains Access Control List which is default deny, but allow for the IP/32 CIDR of the Flowroute server.
Watching SNGrep showed all kinds of OPTIONs messages coming from Flowroute, to which Freeswitch responded. But when I receive an INVITE message from the same Flowroute IP, freeswitch logs show the domains ACL blocking the message.
Disabling "apply-inbound-acl" allowed the call to go through, but I'd rather limit my exposure to only the Flowroute servers.
Pasting that log in below. Any advice?
recv 994 bytes from udp/[216.115.69.144]:5060 at 00:18:41.979351:
------------------------------------------------------------------------
INVITE sip:1206523****@192.168.1.23:5080;transport=udp SIP/2.0
Record-Route: <sip:216.115.69.144;lr>
Max-Forwards: 66
Record-Route: <sip:199.21.64.132;lr>
To: <sip:+1206523****@fl.gg>
From: <sip:+1425*******@fl.gg>;tag=gK0a23fdde
Via: SIP/2.0/UDP 216.115.69.144;branch=z9hG4bK2b41.cab91f900f8b62efca4f5b540e91dad0.0
Via: SIP/2.0/UDP 54.71.6.127:5060;branch=z9hG4bK2b41.32e304906b0d605cabbadd8bf39c34b6.0
Via: SIP/2.0/UDP 199.21.64.132;branch=z9hG4bK2b41.f2e0ce590f3f3040744290c686be8efc.0
Via: SIP/2.0/UDP 4.55.21.227:5060;branch=z9hG4bK0aBc41070e52aeb30b8
Call-ID: 906634939_48143166@4.55.21.227
CSeq: 6295 INVITE
Contact: <sip:+1425*******@4.55.21.227:5060>
Content-Length: 219
Content-Type: application/sdp
P-Asserted-Identity: <sip:+1425*******@fl.gg>
v=0
o=- 17711 6405 IN IP4 4.55.21.194
s=-
c=IN IP4 4.55.21.194
t=0 0
m=audio 20964 RTP/AVP 0 8 18 101
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=maxptime:20
------------------------------------------------------------------------
2019-10-30 00:18:43.859947 [NOTICE] switch_channel.c:1104 New Channel sofia/external/+1425*******@fl.gg [909dfa55-b598-47bf-8b72-476a79a83584]
2019-10-30 00:18:43.859947 [DEBUG] switch_core_state_machine.c:584 (sofia/external/+1425*******@fl.gg) Running State Change CS_NEW (Cur 1 Tot 1)
2019-10-30 00:18:43.859947 [DEBUG] sofia.c:10092 sofia/external/+1425*******@fl.gg receiving invite from 216.115.69.144:5060 version: 1.8.4+git git 749a6e1 2019-01-14 19:31:33Z 32bit
2019-10-30 00:18:43.859947 [WARNING] sofia.c:10256 IP 216.115.69.144 Rejected by acl "domains"
2019-10-30 00:18:43.859947 [DEBUG] switch_core_state_machine.c:603 (sofia/external/+1425*******@fl.gg) State NEW
send 748 bytes to udp/[216.115.69.144]:5060 at 00:18:41.983283:
------------------------------------------------------------------------
SIP/2.0 403 Forbidden
Via: SIP/2.0/UDP 216.115.69.144;branch=z9hG4bK2b41.cab91f900f8b62efca4f5b540e91dad0.0
Via: SIP/2.0/UDP 54.71.6.127:5060;branch=z9hG4bK2b41.32e304906b0d605cabbadd8bf39c34b6.0
Via: SIP/2.0/UDP 199.21.64.132;branch=z9hG4bK2b41.f2e0ce590f3f3040744290c686be8efc.0
Via: SIP/2.0/UDP 4.55.21.227:5060;branch=z9hG4bK0aBc41070e52aeb30b8
From: <sip:+1425*******@fl.gg>;tag=gK0a23fdde
To: <sip:+1206523****@fl.gg>;tag=y8S4y5U7QyN1F
Call-ID: 906634939_48143166@4.55.21.227
CSeq: 6295 INVITE
User-Agent: FreeSWITCH
Accept: application/sdp
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY
Supported: timer, path, replaces
Allow-Events: talk, hold, conference, refer
Content-Length: 0
------------------------------------------------------------------------
2019-10-30 00:18:43.859947 [NOTICE] sofia.c:2411 Hangup sofia/external/+1425*******@fl.gg [CS_NEW] [CALL_REJECTED]
